Skip to content
Ask AI about this
Help improve this page

IAM password policies should require at least one lowercase letter

Brute force and dictionary attacks get easier when passwords lack character diversity. Requiring lowercase letters alongside uppercase, digits, and symbols expands the effective keyspace, making offline cracking and credential stuffing more expensive.

This setting applies account-wide to every IAM user who authenticates with a password. A missing lowercase requirement often signals the password policy was never explicitly configured, meaning other complexity settings are probably also sitting at their weak defaults.

Retrofit consideration

Existing IAM users are not forced to change passwords immediately. Password changes take effect on the next rotation or manual reset, so enforcement may lag until max_password_age triggers a reset.

Implementation

Choose the approach that matches how you manage Terraform.

Use AWS provider resources directly. See docs for the resources involved: aws_iam_account_password_policy.

resource "aws_iam_account_password_policy" "this" {
  max_password_age             = 90
  minimum_password_length      = 14
  password_reuse_prevention    = 24
  require_numbers              = true
  require_symbols              = true
  require_uppercase_characters = true

  require_lowercase_characters = true
}

What this control checks

The control checks that aws_iam_account_password_policy has require_lowercase_characters set to true. One resource governs the entire account. It fails when the resource is absent, when the attribute is explicitly false, or when it is omitted (the default is false). To pass, declare the resource with require_lowercase_characters = true. This resource cannot be scoped to specific users or groups.

Common pitfalls

  • Singleton resource conflicts

    Two Terraform stacks or workspaces that both declare aws_iam_account_password_policy will fight over the same API object, causing alternating applies. Manage this resource in exactly one root module, typically your account baseline.

  • Default values are not compliant

    AWS defaults require_lowercase_characters to false. Importing an existing policy without explicitly setting the attribute to true leaves you non-compliant even if the resource already exists in state.

  • No retroactive enforcement on existing passwords

    Enabling require_lowercase_characters only applies to passwords set after the policy change. Existing IAM user passwords stay valid until max_password_age triggers expiration or someone manually resets them. Without max_password_age configured, non-compliant passwords persist indefinitely.

  • SSO-only accounts still need the policy

    Even if your organization uses IAM Identity Center for all human access, compliance frameworks still expect the IAM password policy to be configured. Break-glass IAM users or service accounts with console access inherit whatever policy exists, or the insecure defaults if none does.

Audit evidence

An auditor expects aws iam get-account-password-policy output showing RequireLowercaseCharacters: true. AWS Config rule iam-password-policy evaluation results provide continuous evidence. IAM console screenshots of the Account settings password policy page showing the lowercase requirement checked are also acceptable.

For ongoing assurance, Security Hub findings for this control under AWS Foundational Security Best Practices should show PASSED with a recent evaluation timestamp.

Framework-specific interpretation

PCI DSS v4.0: Requirement 8.3.6 mandates passwords that include a mix of numeric and alphabetic characters. Lowercase letters satisfy part of the alphabetic character diversity expectation.

GDPR: Article 32 asks for 'appropriate technical measures' to protect personal data. GDPR does not specify password rules, but regulators expect enforced authentication controls, and documented password complexity policies are standard audit evidence.

FedRAMP Moderate Baseline Rev 4: IA-5(1) at the Moderate baseline requires mixed character types for password-based authentication. Lowercase letters are one component of that requirement alongside uppercase, digits, and special characters.

Tool mappings

Use these identifiers to cross-reference this control across tools, reports, and evidence.

  • Compliance.tf Control: iam_account_password_policy_one_lowercase_letter

  • AWS Config Managed Rule: IAM_PASSWORD_POLICY

  • Checkov Check: CKV_AWS_11

  • Powerpipe Control: aws_compliance.control.iam_account_password_policy_one_lowercase_letter

  • Prowler Check: iam_password_policy_lowercase

  • AWS Security Hub Control: IAM.12

  • Trivy Check: AWS-0058

Last reviewed: 2026-03-09